T1553: T1553

Search IOCs, vulnerabilities, APT…

216.73.216.6

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 05/02/2020 15:54 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1553
Confidence: 100/100
Revoked: No
Published: 05/02/2020 15:54
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Subvert Trust Controls

Platforms

windows macos linux

Description

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site. Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

SpectorOps Subverting Trust Sept 2017
Securelist Digital Certificates
Symantec Digital Certificates
SpectorOps Code Signing Dec 2017
mitre-attack (T1553)

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (50)

Agenda related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Agrius related Pink SandstormAMERICIUM

The MITRE Corporation Confidence 100

[Agrius](https://attack.mitre.org/groups/G1030) is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bloody Wolf related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL0P related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CNC related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Calisto related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Contagious Interview related Gwisin GangTAG-121

The MITRE Corporation Confidence 100

[Contagious Interview](https://attack.mitre.org/groups/G1052) is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials.…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Danabot related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
EXOTIC LILY related

The MITRE Corporation Confidence 100

[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Goldoon related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Grandoreiro related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Head Mare and Twelve related

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

13–24 of 50

FormBook uses

Family
PhantomJitter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CloudMensis uses
Strigoi Master uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
filecoauthx86.exe uses

Family
STAYSHANTE uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Babyk uses

Family
BlackCat uses
DcRAT uses

Family
WINTAPIX uses

Family
CollectionRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ValleyRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 8

1–12 of 85

Operation TaxShadow: Multi-Region Tax Phishing & In-Memory Malware … related

19 MITREs 5 Observables
FakeWallet crypto stealer spreading in the App Store related

AlienVault Confidence 100 23 MITREs 2 Malwares 53 IOCs 53 Observables
Illuminating VoidLink: Technical analysis of the VoidLink rootkit … related

18 MITREs 1 Malware 2 Observables
Analyzing the Current State of AI Use in … related

1 CVE 15 MITREs 2 Malwares 4 Observables
North Korean Lazarus Group Now Working With Medusa … related

20 MITREs 52 Observables 1 APT
UNC1069 Targets Cryptocurrency Sector with New Tooling and … related

12 MITREs 15 Observables 1 APT
Cryptocurrency Sector Targeted with New Tooling and AI-Enabled … related

12 MITREs 15 Observables 1 APT
AI-Automated Threat Hunting Brings GhostPenguin Out of the … related

17 MITREs 1 Malware 2 Observables
New Tomiris tools and techniques: multiple reverse shells, … related

17 MITREs 16 Malwares 66 Observables 1 APT
Contagious Interview Actors Now Utilize JSON Storage Services … related

15 MITREs 4 Malwares 84 Observables 1 APT
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech … related

12 MITREs 1 Malware 12 Observables 1 APT
Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech … related

12 MITREs 1 Malware 12 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (44)

CVE-2021-31201 KEV targets

Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2024-21887 KEV targets

9.1 Critical

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure contain a command injection vulnerability in the web …

Attack vector: Network
Published: 10/01/2024
Modified: 27/05/2026

CVE-2023-20273 KEV targets

7.2 High

Cisco IOS XE contains a command injection vulnerability in the web user interface. When chained with CVE-2023-20198, the attacker can leverage the …

Attack vector: Network
Published: 23/10/2023
Modified: 21/12/2025

CVE-2024-38193 KEV targets

7.8 High

Microsoft Windows Ancillary Function Driver for WinSock contains an unspecified vulnerability that allows for privilege escalation, enabling a local attacker to gain …

Attack vector: Local
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2024-38196 targets

7.8 High

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Attack vector: LOCAL
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2022-2204 targets

Published: 20/12/2025
Modified: 20/12/2025

CVE-2015-2051 KEV targets

8.8 High

D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Attack vector: Adjacent
Complexity: LOW
Published: 23/02/2015
Modified: 22/04/2026

CWE-77

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2022-42475 KEV targets

9.8 Critical

Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …

Attack vector: Network
Published: 13/12/2022
Modified: 20/12/2025

CVE-2024-5274 KEV targets

9.6 Critical

Google Chromium V8 contains a type confusion vulnerability that allows a remote attacker to execute code via a crafted HTML page. This …

Attack vector: Network
Published: 28/05/2024
Modified: 21/12/2025

Awaiting Analysis

CVE-2021-31199 KEV targets

Microsoft Enhanced Cryptographic Provider contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

← Previous

Page / 4

13–24 of 44

T1553.005 subtechnique-of

Mark-of-the-Web Bypass MITRE
T1553.004 subtechnique-of

Install Root Certificate MITRE

Course Of Action (2)

Restrict Registry Permissions mitigates
Privileged Account Management mitigates

Contact About Legal notice Privacy policy Terms of use

T1553: T1553

Essential information

Aliases

Platforms

Description

Kill chain phases

Marking (TLP)

External references

Related entities

Intrusion sets (APT) (50)

Malware (85)

Reports (50)

Vulnerabilities (CVE) (44)

Attack patterns (MITRE) (2)

Course Of Action (2)